This year has seen several ransomware attacks on cities and municipal targets, clearly demonstrating that the threat from ransomware has not abated, despite several analyses from cybersecurity firms that suggest hackers are moving away from ransomware and concentrating on cryptomining malware attacks.

Cryptocurrency miners have certainly become more popular and their use has increased substantially in recent months, but there is still a significant threat from ransomware.

Ransomware development may have slowed, but ransomware attacks on cities and other high value targets have not. In fact, October has seen two new ransomware attacks on cities in the United States, along with several attacks on municipal targets. In the past few months. It is clear that the threat is not going away any time soon.

$2,000 Ransom Paid to Resolve City of West Haven Ransomware Attack

The city of West Haven ransomware attack started on the morning of October 16, 2018, and by the time the attack had been contained, 23 servers had been encrypted and taken out of action. Prompt action limited the scope of the attack, although it did cause major disruption as computers on the affected network had to all be shut down.

The attack affected a critical system, and after an assessment of the situation, the decision was taken to pay the ransom. Considering the number of servers affected, the ransom demand was relatively low. The city paid $2,000 in Bitcoin for the keys to decrypt its files.

Art House, Connecticut’s chief of cybersecurity, explained that this was one of several targeted ransomware attacks on cities and municipal services in the state in recent weeks. In February, around 160 computers were affected by ransomware in more than a dozen agencies in the state according to the Department of Administrative Services, and a month later the state’s Judicial Branch was attacked and had more than 100 servers encrypted.

City of Muscatine Ransomware Attack

The West Haven ransomware attack was shortly followed by a ransomware attack on the city of Muscatine in Ohio, which saw files on several government servers encrypted. The attack is understood to have started on October 17 and caused considerable disruption especially to services at City Hall.

Few details about the attack have been made public, although it is understood that the ransom demand was not paid. Instead, IT teams have had to painstakingly rebuild affected servers and workstations and restore files from backups.

Ransomware Attack on City of Atlanta

In August one of the most serious ransomware attacks on cities occurred. The City of Atlanta was attacked with SamSam ransomware, which was manually deployed on multiple computers after access had been gained to the network. The attack occurred in March and took down computers used for many city services, causing major disruption for weeks. A ransom demand of around $50,000 was issued, although the decision was taken not to pay. Initially the cost of recovery was expected to reach $6 million. Later estimates in the summer suggest that the final cost may exceed $17 million, highlighting just how costly ransomware attacks on cities can be.

Ransomware Attacks on Municipal Services Becoming More Common

Ransomware attacks on cities are becoming more common, as are attacks on municipal targets. In October, the Onslow Water and Sewer Authority in Jacksonville, North Carolina was attacked with ransomware resulting in most systems being taken out of action. In that case, a dual attack occurred, which started with the Emotet Trojan followed by the deployment of Ryuk ransomware two weeks later. The attack is expected to disrupt services for several weeks. The Indiana National Guard also suffered a ransomware attack in October. In both cases, the ransom was not paid.

Prevention and Incident Response

One of the reasons behind the rise in ransomware attacks on cities is underinvestment in cybersecurity defenses. Too little has been spent on protecting systems and updating aging hardware and software. With many vulnerabilities left unaddressed, staff receiving insufficient training, and even basic cybersecurity defenses often found lacking, it is no surprise that the attacks are increasing.

The only way that the attacks will be stopped is by spending more on cybersecurity defenses and training to make it much harder for attacks to occur. It can certainly be hard to find the money to commit to cybersecurity, but as the City of Atlanta found out, the cost of prevention is far lower than the cost of recovery from a ransomware attack.